----- Original Message -----
From: "1LT John W. Holmes" <[EMAIL PROTECTED]>
To: "Danny Shepherd" <[EMAIL PROTECTED]>; "PHP-General"
Sent: Tuesday, July 30, 2002 8:18 PM
Subject: Re: [PHP] Serialised Data & DBs

> Yes, it'd be really smart to. If any of the data in the serialized string
> has a ' or " in it, it could break your query. Or the user being able to
> enter a ' or " into the data could open you to SQL attacks.
> You want to do addslashes() on the result of serialize(), not the content
> going into it, too. PHP will introduct double quotes around any strings
> are serialized. These should be escaped or they could end up breaking your
> query.
Yeah, the contents are already stripslashed.

> Note that you don't have to do stripslashes() on the serialized string
> you pull it out.

Cool, didn't realise that - would've been hard to track down later too!



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to